Re: KDC Hardware



On Saturday, January 07, 2006 11:38:47 AM +0100 Turbo Fredriksson
<turbo@xxxxxxxxxx> wrote:

> Security? Nah, both need _extra ordinary security_ so it's easier to
> safegard ONE machine than two (* nr of slaves of course :).

On the contrary, depending on what you are using your LDAP directory for,
it may not require any more security than any other application. Even if
this is not the case, traditional operational practice dictates extreme
paranoia where KDC's are concerned, because of the massive impact of a
compromise.

If your LDAP server is compromised, you reinstall the machine, restore the
database from backups, and get on with life, just like for any other
service. Depending on what you store in the directory, it's possible the
intruder obtained sensitive information, but that's also true of other
services, such as a mail server.

Again, depending on what you store in the directory, it's possible that an
intruder who gains the ability to modify the LDAP database has used that to
gain access to other services. Such things might be annoying to track down
and fix, but they can be fixed. Any changes the intruder made can be
rolled back; any deleted data can be restored from backups, etc.


If a KDC is compromised, it becomes necessary to assume that the intruder
has a complete copy of the Kerberos database, including the keys for every
principal. Recovering from such a compromise requires issuing new
passwords to _every_ user and re-keying _every_ service -- and doing it in
such a way that someone who knows the old keys does not discover the new
ones. Any service which has not been re-keyed is vulnerable to the
attacker; since he knows the service's key, he can impersonate any user,
EVEN IF THE KDC IS SHUT DOWN. A similar problem applies in the reverse
direction; an attacker can impersonate the KDC and any service to a user
whose key he knows, EVEN IF THE REAL KDC IS SHUT DOWN.

This is such a massively bad situation that it is worth taking every effort
to protect the Kerberos database from compromise. Running other services
on the same machine is simply not worth the potential pain.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@xxxxxxx>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA

________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

.

Relevant Pages

  • Re: Cracking WPA-PSK
    ... security expert as I don't attend security conferences and publish ... keys for security. ... password should only compromise one machine, ... What's lacking is the authentication part. ...
    (alt.internet.wireless)
  • Re: OT - Kuwait
    ... > strict security procedures to prevent unauthorized release of the keys. ... > established their authority to acquire the content of those communications ... Every one but you knows the government has been evesdropping on email & ... Social Security Administration have computer files on nearly all Americans. ...
    (alt.sports.football.pro.ne-patriots)
  • Re: Your Opinion +
    ... and RealNetworks regarding Windows Media Player back in 2003, lets say for discussion, MS now turn around and offer up their 'Security Applications' for free. ... Those things aren't even usually called "security software" -- for example, use of Mozilla-based browser makes Windows desktop more secure not because Mozilla-based browsers are designed as "security software" but because it allows the user to not use Internet Explorer, and it contains less, shorter living or easier to avoid vulnerabilities than the product it replaces. ... Software that runs on potentially compromised computers looking for signatures, altered files, inconsistent responses from system interfaces and other evidence of compromise. ...
    (Bugtraq)
  • [Full-Disclosure] Security Industry Under Scrutiny: Part One
    ... >Even the kabbalah is open to anyway wishing to learn. ... The keys to compromising computer systems are placed in the ... Utopian Secure Internet will always be a thing of fantasy, and no security ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] SSH vs. TLS
    ... > frowned upon by network ops and security. ... > - There must be a secure means by which all server keys are distributed to ... > appropriate ssh clients. ... > servers from using expired keys. ...
    (Full-Disclosure)